From db334a3b94a926923df1755fe8117e533d3a06a8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 24 Sep 2019 14:16:24 +0200 Subject: [PATCH] FIX Var not enough sanitized --- htdocs/admin/emailcollector_card.php | 4 +- htdocs/categories/viewcat.php | 2 +- htdocs/comm/action/index.php | 2 +- htdocs/install/check.php | 2 +- htdocs/install/repair.php | 2 +- htdocs/main.inc.php | 2 +- htdocs/public/ticket/create_ticket.php | 6 +-- htdocs/ticket/card.php | 6 +-- htdocs/user/card.php | 53 +++++++++++++------------- htdocs/website/index.php | 6 +-- 10 files changed, 43 insertions(+), 42 deletions(-) diff --git a/htdocs/admin/emailcollector_card.php b/htdocs/admin/emailcollector_card.php index 6d1b640f45b..64e784ece9d 100644 --- a/htdocs/admin/emailcollector_card.php +++ b/htdocs/admin/emailcollector_card.php @@ -116,7 +116,7 @@ if (empty($reshook)) if (GETPOST('addfilter', 'alpha')) { $emailcollectorfilter = new EmailCollectorFilter($db); - $emailcollectorfilter->type = GETPOST('filtertype', 'az09'); + $emailcollectorfilter->type = GETPOST('filtertype', 'aZ09'); $emailcollectorfilter->rulevalue = GETPOST('rulevalue', 'alpha'); $emailcollectorfilter->fk_emailcollector = $object->id; $emailcollectorfilter->status = 1; @@ -150,7 +150,7 @@ if ($action == 'deletefilter') if (GETPOST('addoperation', 'alpha')) { $emailcollectoroperation = new EmailCollectorAction($db); - $emailcollectoroperation->type = GETPOST('operationtype', 'az09'); + $emailcollectoroperation->type = GETPOST('operationtype', 'aZ09'); $emailcollectoroperation->actionparam = GETPOST('operationparam', 'none'); $emailcollectoroperation->fk_emailcollector = $object->id; $emailcollectoroperation->status = 1; diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index a7a0767c6b5..40eda2da913 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -36,7 +36,7 @@ $langs->load("categories"); $id = GETPOST('id', 'int'); $label= GETPOST('label', 'alpha'); -$type = GETPOST('type', 'az09'); +$type = GETPOST('type', 'aZ09'); $action=GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $removeelem = GETPOST('removeelem', 'int'); diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 48165361d7c..4ea61e2db38 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -87,7 +87,7 @@ $week=GETPOST("week", "int")?GETPOST("week", "int"):date("W"); $day=GETPOST("day", "int")?GETPOST("day", "int"):date("d"); $pid=GETPOST("search_projectid", "int", 3)?GETPOST("search_projectid", "int", 3):GETPOST("projectid", "int", 3); $status=GETPOST("search_status", 'aZ09')?GETPOST("search_status", 'aZ09'):GETPOST("status", 'aZ09'); // status may be 0, 50, 100, 'todo' -$type=GETPOST("search_type", 'az09')?GETPOST("search_type", 'az09'):GETPOST("type", 'az09'); +$type=GETPOST("search_type", 'aZ09')?GETPOST("search_type", 'aZ09'):GETPOST("type", 'aZ09'); $maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW); // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) if (GETPOST('search_actioncode', 'array')) diff --git a/htdocs/install/check.php b/htdocs/install/check.php index 43645f402ed..025c2c06dd5 100644 --- a/htdocs/install/check.php +++ b/htdocs/install/check.php @@ -35,7 +35,7 @@ $allowinstall = 0; $allowupgrade = false; $checksok = 1; -$setuplang=GETPOST("selectlang", 'az09', 3)?GETPOST("selectlang", 'az09', 3):$langs->getDefaultLang(); +$setuplang=GETPOST("selectlang", 'aZ09', 3)?GETPOST("selectlang", 'aZ09', 3):$langs->getDefaultLang(); $langs->setDefaultLang($setuplang); $langs->load("install"); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index d34d43384d0..95ad4d2d563 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -42,7 +42,7 @@ error_reporting(0); @set_time_limit(120); error_reporting($err); -$setuplang=GETPOST("selectlang", 'az09', 3)?GETPOST("selectlang", 'az09', 3):'auto'; +$setuplang=GETPOST("selectlang", 'aZ09', 3)?GETPOST("selectlang", 'aZ09', 3):'auto'; $langs->setDefaultLang($setuplang); $langs->loadLangs(array("admin","install","other")); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 0993cea8307..fcd2d8d7e54 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -988,7 +988,7 @@ if (! defined('NOLOGIN')) } -dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'az09').', massaction='.GETPOST('massaction', 'az09')); +dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09')); //Another call for easy debugg //dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST)); diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php index b7d17244c2a..b2434e7d826 100644 --- a/htdocs/public/ticket/create_ticket.php +++ b/htdocs/public/ticket/create_ticket.php @@ -138,9 +138,9 @@ if ($action == 'create_ticket' && GETPOST('add', 'alpha')) { $object->message = GETPOST("message", "none"); $object->origin_email = $origin_email; - $object->type_code = GETPOST("type_code", 'az09'); - $object->category_code = GETPOST("category_code", 'az09'); - $object->severity_code = GETPOST("severity_code", 'az09'); + $object->type_code = GETPOST("type_code", 'aZ09'); + $object->category_code = GETPOST("category_code", 'aZ09'); + $object->severity_code = GETPOST("severity_code", 'aZ09'); if (is_array($searched_companies)) { $object->fk_soc = $searched_companies[0]->id; } diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index b770e2fec40..2c52ec513ff 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -570,9 +570,9 @@ if ($action == "change_property" && GETPOST('btn_update_ticket_prop', 'alpha') & { $object->fetch(GETPOST('id', 'int'), '', GETPOST('track_id', 'alpha')); - $object->type_code = GETPOST('update_value_type', 'az09'); - $object->severity_code = GETPOST('update_value_severity', 'az09'); - $object->category_code = GETPOST('update_value_category', 'az09'); + $object->type_code = GETPOST('update_value_type', 'aZ09'); + $object->severity_code = GETPOST('update_value_severity', 'aZ09'); + $object->category_code = GETPOST('update_value_category', 'aZ09'); $ret = $object->update($user); if ($ret > 0) { diff --git a/htdocs/user/card.php b/htdocs/user/card.php index aa6b8fc12b5..90cc0a142cb 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -54,7 +54,6 @@ $id = GETPOST('id', 'int'); $action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); -$subaction = GETPOST('subaction', 'alpha'); $group = GETPOST("group", "int", 3); $cancel = GETPOST('cancel', 'alpha'); $contextpage= GETPOST('contextpage', 'aZ')?GETPOST('contextpage', 'aZ'):'useracard'; // To manage different context of search @@ -195,14 +194,14 @@ if (empty($reshook)) { } if (!$error) { - $object->lastname = GETPOST("lastname", 'alpha'); - $object->firstname = GETPOST("firstname", 'alpha'); - $object->login = GETPOST("login", 'alpha'); - $object->api_key = GETPOST("api_key", 'alpha'); - $object->gender = GETPOST("gender", 'alpha'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear')); + $object->lastname = GETPOST("lastname", 'alphanohtml'); + $object->firstname = GETPOST("firstname", 'alphanohtml'); + $object->login = GETPOST("login", 'alphanohtml'); + $object->api_key = GETPOST("api_key", 'alphanohtml'); + $object->gender = GETPOST("gender", 'aZ09'); + $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); $object->birth = $birth; - $object->admin = GETPOST("admin", 'alpha'); + $object->admin = GETPOST("admin", 'int'); $object->address = GETPOST('address', 'alphanohtml'); $object->zip = GETPOST('zipcode', 'alphanohtml'); $object->town = GETPOST('town', 'alphanohtml'); @@ -217,7 +216,7 @@ if (empty($reshook)) { $object->facebook = GETPOST("facebook", 'alphanohtml'); $object->linkedin = GETPOST("linkedin", 'alphanohtml'); - $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); + $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); $object->job = GETPOST("job", 'nohtml'); $object->signature = GETPOST("signature", 'none'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); @@ -233,10 +232,10 @@ if (empty($reshook)) { $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; - $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear')); + $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); $object->dateemployment = $dateemployment; - $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth'), GETPOST('dateemploymentendday'), GETPOST('dateemploymentendyear')); + $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); $object->dateemploymentend = $dateemploymentend; $object->fk_warehouse = GETPOST('fk_warehouse', 'int'); @@ -348,15 +347,15 @@ if (empty($reshook)) { $db->begin(); - $object->lastname = GETPOST("lastname", 'alpha'); - $object->firstname = GETPOST("firstname", 'alpha'); - $object->login = GETPOST("login", 'alpha'); - $object->gender = GETPOST("gender", 'alpha'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear')); + $object->lastname = GETPOST("lastname", 'alphanohtml'); + $object->firstname = GETPOST("firstname", 'alphanohtml'); + $object->login = GETPOST("login", 'alphanohtml'); + $object->gender = GETPOST("gender", 'aZ09'); + $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); $object->birth = $birth; $object->pass = GETPOST("password", 'none'); - $object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key; - if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request + $object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key; + if (! empty($user->admin)) $object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request $object->address = GETPOST('address', 'alphanohtml'); $object->zip = GETPOST('zipcode', 'alphanohtml'); $object->town = GETPOST('town', 'alphanohtml'); @@ -365,15 +364,17 @@ if (empty($reshook)) { $object->office_phone = GETPOST("office_phone", 'alphanohtml'); $object->office_fax = GETPOST("office_fax", 'alphanohtml'); $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); - $object->skype = GETPOST("skype", 'alpha'); - $object->twitter = GETPOST("twitter", 'alpha'); - $object->facebook = GETPOST("facebook", 'alpha'); - $object->linkedin = GETPOST("linkedin", 'alpha'); - $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); + + $object->skype = GETPOST("skype", 'alphanohtml'); + $object->twitter = GETPOST("twitter", 'alphanohtml'); + $object->facebook = GETPOST("facebook", 'alphanohtml'); + $object->linkedin = GETPOST("linkedin", 'alphanohtml'); + + $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); $object->job = GETPOST("job", 'nohtml'); $object->signature = GETPOST("signature", 'none'); - $object->accountancy_code = GETPOST("accountancy_code", 'alpha'); - $object->openid = GETPOST("openid", 'alpha'); + $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); + $object->openid = GETPOST("openid", 'alphanohtml'); $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; $object->employee = GETPOST('employee', 'int'); @@ -383,7 +384,7 @@ if (empty($reshook)) { $object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : ''; $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; - $object->color = GETPOST("color", 'alpha') != '' ? GETPOST("color", 'alpha') : ''; + $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); $object->dateemployment = $dateemployment; $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); diff --git a/htdocs/website/index.php b/htdocs/website/index.php index ef148ba609a..fe6d3a72ae4 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -2073,7 +2073,7 @@ if (! GETPOST('hide_websitemenu')) $formquestion = array( array('type' => 'checkbox', 'name' => 'delete_also_js', 'label' => $langs->trans("DeleteAlsoJs"), 'value' => 0), array('type' => 'checkbox', 'name' => 'delete_also_medias', 'label' => $langs->trans("DeleteAlsoMedias"), 'value' => 0), - //array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'az09')?GETPOST('newlang', 'az09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')), + //array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'aZ09')?GETPOST('newlang', 'aZ09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')), //array('type' => 'other','name' => 'newwebsite','label' => $langs->trans("WebSite"), 'value' => $formwebsite->selectWebsite($object->id, 'newwebsite', 0)) ); @@ -2088,7 +2088,7 @@ if (! GETPOST('hide_websitemenu')) $formquestion = array( array('type' => 'text', 'name' => 'siteref', 'label'=> $langs->trans("WebSite") ,'value'=> 'copy_of_'.$object->ref), //array('type' => 'checkbox', 'name' => 'is_a_translation', 'label' => $langs->trans("SiteIsANewTranslation"), 'value' => 0), - //array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'az09')?GETPOST('newlang', 'az09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')), + //array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'aZ09')?GETPOST('newlang', 'aZ09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')), //array('type' => 'other','name' => 'newwebsite','label' => $langs->trans("WebSite"), 'value' => $formwebsite->selectWebsite($object->id, 'newwebsite', 0)) ); @@ -2102,7 +2102,7 @@ if (! GETPOST('hide_websitemenu')) // Confirmation to clone if ($action == 'createpagefromclone') { // Create an array for form - $preselectedlanguage = GETPOST('newlang', 'az09') ? GETPOST('newlang', 'az09') : ($objectpage->lang ? $objectpage->lang : $langs->defaultlang); + $preselectedlanguage = GETPOST('newlang', 'aZ09') ? GETPOST('newlang', 'aZ09') : ($objectpage->lang ? $objectpage->lang : $langs->defaultlang); $formquestion = array( array('type' => 'hidden', 'name' => 'sourcepageurl', 'value'=> $objectpage->pageurl), array('type' => 'checkbox', 'tdclass'=>'maxwidth200', 'name' => 'is_a_translation', 'label' => $langs->trans("PageIsANewTranslation"), 'value' => 0),